Tag: Uber

Hackers stole the personal data of 57 million customers and drivers and the ride-hailing company allegedly paid them $100,000 to delete the information and “go away”.

The data was compromised in October 2016, and Uber has managed to conceal the breach for more than a year, according to Bloomberg.

Uber claims they were involved in negotiations with US regulators about separate privacy violations at the time of the breach.

But the company now admits they were legally required to report the hack to regulators and to drivers whose license numbers were taken.

However, Uber reportedly paid the hackers $100,000 to delete the data instead.

Joe Sullivan, Uber’s chief security officer, was fired this week for his role in keeping the hack quiet. One of Sullivan’s deputies was also fired for helping.

Ex-CEO and co-founder, Travis Kalanick, reportedly found out about the hack in November 2016, but at the time Uber had just settled a lawsuit with the New York attorney general over the company’s privacy practices.

Dara Khosrowshahi took over as Uber’s new CEO in September.

‘None of this should have happened, and I will not make excuses for it,’ Khosrowshahi said in a press statement on Tuesday. ‘We are changing the way we do business.’

‘At the time of the incident, we took immediate steps to secure the data and shut down further unauthorized access by the individuals.

‘We subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed. We also implemented security measures to restrict access to and strengthen controls on our cloud-based storage accounts,’ Khosrowshahi said.

The hackers stole names, email addresses, and phone numbers from 50 million Uber riders worldwide, said in the statement.

Personal information from 7 million drivers was also compromised. That figure includes about 600,000 US driver’s license numbers that were stolen.

The company said they don’t believe the information was ever used. Uber also declined to release the identities of the hackers.

‘While we have not seen evidence of fraud or misuse tied to the incident, we are monitoring the affected accounts and have flagged them for additional fraud protection,’ Khosrowshahi said.

Dara Khosrowshahi took over as Uber’s new CEO in September. ‘None of this should have happened, and I will not make excuses for it,’ Khosrowshahi (pictured last month) said. ‘We are changing the way we do business’ +5
Dara Khosrowshahi took over as Uber’s new CEO in September. ‘None of this should have happened, and I will not make excuses for it,’ Khosrowshahi (pictured last month) said. ‘We are changing the way we do business’

Uber’s hack joins the ranks of other massive hacks such as Yahoo and Equifax. In September, Equifax reported that the hack compromised the sensitive information of 145.5 million people and the Yahoo hack affected three billion +5
Uber’s hack joins the ranks of other massive hacks such as Yahoo and Equifax. In September, Equifax reported that the hack compromised the sensitive information of 145.5 million people and the Yahoo hack affected three billion

According to Bloomberg, Sullivan, who joined Uber in 2015, was the guy who spearheaded the response to the hack last year.

Last month, an investigation was launched into the activities of Sullivan’s security team. During the investigation, the hack and cover-up were discovered.

Uber said two attackers gained access to private GitHub coding site used by Uber software engineers, according to Bloomberg.

From there, the hackers used login credentials they obtained from GitHub to access data stored on an Amazon Web Services account.

The hackers then found an archive of rider and driver information. Once the information was accessed, the attackers asked Uber for money.

Khosrowshahi said he’s bringing on board Matt Olsen, a co-founder of a cybersecurity consulting firm and former general counsel of the National Security Agency and director of the National Counterterrorism Center, for guidance on ‘how best to guide and structure our security teams and processes going forward’.

The company is currently in the process of ‘individually notifying the drivers whose driver’s license numbers were downloaded’. Uber will also provide these drivers with free credit monitoring and identity theft protection.

Uber’s hack joins the ranks of other massive hacks such as Yahoo and Equifax. In September, Equifax reported that the hack compromised the sensitive information of 145.5 million people.

And last month, Yahoo admitted that three billion Yahoo users were affected by the 2013 data theft that the company originally said had only affected 1 billion users.

Shortly after taking over Uber in September, Dara Khosrowshahi told employees to brace for a painful six months.

US officials are looking into possible bribes, illicit software, questionable pricing schemes and theft of a competitor’s intellectual property. The very attributes that, for years, set the company on a rocket-ship trajectory – a tendency to ignore rules, to compete with a mix of ferocity and paranoia – have unleashed forces that are now dragging Uber back to down to earth.

Uber faces at least five criminal probes from the Justice Department – two more than previously reported. Bloomberg has learned that authorities are asking questions about whether Uber violated price-transparency laws, and officials are separately looking into the company’s role in the alleged theft of schematics and other documents outlining Alphabet’s autonomous-driving technology.

Uber is also defending itself against dozens of civil suits, including one brought by Alphabet that’s scheduled to go to trial in December.

“There are real political risks for playing the bad guy”

Some governments, sensing weakness, are moving toward possible bans of the ride-hailing app. London, one of Uber’s most profitable cities, took steps to outlaw the service, citing “a lack of corporate responsibility” and specifically, company software known as Greyball, which is the subject of yet another US probe.

(Uber said it didn’t use the program to target officials in London, as it had elsewhere, and will continue to operate there while it appeals a ban.) Brazil is weighing legislation that could make the service illegal – or at least treat it more like a taxi company, which is nearly as offensive in the eyes of Uber.

Interviews with more than a dozen current and former employees, including several senior executives, describe a widely held view inside the company of the law as something to be tested.

Travis Kalanick, the co-founder and former CEO, set up a legal department with that mandate early in his tenure. The approach created a spirit of rule-breaking that has now swamped the company in litigation and federal inquisition, said the people, who asked not to be identified discussing sensitive matters.

Kalanick took pride in his skills as a micromanager. When he was dissatisfied with performance in one of the hundreds of cities where Uber operates, Kalanick would dive in by texting local managers to up their game, set extraordinary growth targets or attack the competition.

His interventions sometimes put the company at greater legal risk, a group of major investors claimed when they ousted him as CEO in June. Khosrowshahi has been on an apology tour on behalf of his predecessor since starting. Spokespeople for Kalanick, Uber and the Justice Department declined to comment.

Kalanick also defined Uber’s culture by hiring deputies who were, in many instances, either willing to push legal boundaries or look the other way. Chief security officer Joe Sullivan, who previously held the same title at Facebook, runs a unit where Uber devised some of the most controversial weapons in its arsenal. Uber’s own board is now looking at Sullivan’s team, with the help of an outside law firm.

Salle Yoo, the longtime legal chief who will soon leave the company, encouraged her staff to embrace Kalanick’s unique corporate temperament. “I tell my team, ‘We’re not here to solve legal problems. We’re here to solve business problems. Legal is our tool,’” Yoo said on a podcast early this year. “I am going to be supportive of innovation.”

From Uber’s inception, the app drew the ire of officials. After a couple years of constant sparring with authorities, Kalanick recognised he needed help and hired Yoo as the first general counsel in 2012. Yoo, an avid tennis player, had spent 13 years at the corporate law firm Davis Wright Tremaine and rose to become partner. One of her first tasks at Uber, according to colleagues, was to help Kalanick answer a crucial question: Should the company ignore taxi regulations?

Around that time, a pair of upstarts in San Francisco, Lyft and Sidecar, had begun allowing regular people to make money by driving strangers in their cars, but Uber was still exclusively for professionally licenced drivers, primarily behind the wheel of black cars. Kalanick railed against the model publicly, arguing that these new hometown rivals were breaking the law. But no one was shutting them down. Kalanick, a fiercely competitive entrepreneur, asked Yoo to help draft a legal framework to get on the road.

By January 2013, Kalanick’s view of the law changed. “Uber will roll out ridesharing on its existing platform in any market where the regulators have tacitly approved doing so,” Kalanick wrote in a since-deleted blog post outlining the company’s position.

Uber faced some regulatory blowback but was able to expand rapidly, armed with the CEO’s permission to operate where rules weren’t being actively enforced. Venture capitalists rewarded Uber with a $17bn valuation in 2014. Meanwhile, other ride-hailing startups at home and around the world were raising hundreds of millions apiece. Kalanick was determined to clobber them.

One way to get more drivers working for Uber was to have employees “slog.” This was corporate speak for booking a car on a competitor’s app and trying to convince the driver to switch to Uber. It became common practice all over the world, five people familiar with the process said.

Staff eventually found a more efficient way to undermine its competitors: software. A breakthrough came in 2015 from Uber’s office in Sydney. A program called Surfcam, two people familiar with the project said, scraped data published online by competitors to figure out how many drivers were on their systems in real-time and where they were.

The tool was primarily used on Grab, the main competitor in Southeast Asia. Surfcam, which hasn’t been previously reported, was named after the popular webcams in Australia and elsewhere that are pointed at beaches to help surfers monitor swells and identify the best times to ride them.

Surfcam raised alarms with at least one member of Uber’s legal team, who questioned whether it could be legally operated in Singapore because it may run afoul of Grab’s terms of service or the country’s strict computer-crime laws, a person familiar with the matter said. Its creator, who had been working out of Singapore after leaving Sydney, eventually moved to Uber’s European headquarters in Amsterdam. He’s still employed by the company.

“This is the first time as a lawyer that I’ve been asked to be innovative.”

Staff at home base in San Francisco had created a similar piece of software called Hell. It was a tongue-in-cheek reference to the Heaven program, which allows employees to see where Uber drivers are in a city at a given moment. With Hell, Uber scraped Lyft data for a view of where its rival’s drivers were.

The legal team decided the law was unclear on such tactics and approved Hell in the US, a program first reported by technology website the Information.

Now as federal authorities investigate the program, they may need to get creative in how to prosecute the company. “You look at what categories of law you can work with,” said Yochai Benkler, co-director of Harvard University’s Berkman Klein Centre for Internet and Society. “None of this fits comfortably into any explicit prohibitions.”

Uber’s lawyers had a hard time keeping track of all the programs in use around the world that, in hindsight, carried significant risks. They signed off on Greyball, a tool that could tag select customers and show them a different version of the app.

Workers used Greyball to obscure the actual locations of Uber drivers from customers who might inflict harm on them. They also aimed the software at Lyft employees to thwart any slog attempts.

The company realised it could apply the same approach with law enforcement to help Uber drivers avoid tickets. Greyball, which was first covered by the New York Times, was deployed widely in and outside the US without much legal oversight.

Katherine Tassi, a former attorney at Uber, was listed as Greyball supervisor on an internal document early this year, months after decamping for Snap in 2016. Greyball is under review by the Justice Department. In another case, Uber settled with the Federal Trade Commission in August over privacy concerns with a tool called God View.

Uber is the world’s most valuable technology startup, but it hardly fits the conventional definition of a tech company. Thousands of employees are scattered around the world helping tailor Uber’s service for each city. The company tries to apply a Silicon Valley touch to the old-fashioned business of taxis and black cars, while inserting itself firmly into gray areas of the law, said Benkler.

“There are real political risks for playing the bad guy, and it looks like they overplayed their hand in ways that were stupid or ultimately counterproductive,” he said. “Maybe they’ll bounce back and survive it, but they’ve given competitors an opening.”

Kalanick indicated from the beginning that what he wanted to achieve with Yoo was legally ambitious. In her first performance review, Kalanick told her that she needed to be more “innovative.” She stewed over the feedback and unloaded on her husband that night over a game of tennis, she recalled in the podcast on Legal Talk Network. “I was fuming. I said to my husband, who is also a lawyer: ‘Look, I have such a myriad of legal issues that have not been dealt with. I have constant regulatory pressures, and I’m trying to grow a team at the rate of growth of this company.’”

By the end of the match, Yoo said she felt liberated. “This is the first time as a lawyer that I’ve been asked to be innovative. What I’m hearing from this is I actually don’t have to do things like any other legal department. I don’t have to go to best practices. I have to go to what is best for my company, what is best for my legal department. And I should view this as, actually, freedom to do things the way I think things should be done, rather than the way other people do it.”

Prosecutors may not agree with Yoo’s assumptions about how things should be done. Even when Yoo had differences of opinion with Kalanick, she at times failed to challenge him or his deputies, or to raise objections to the board.

After a woman in Delhi was raped by an Uber driver, the woman sued the company. Yoo was doing her best to try to manage the fallout by asking law firm Khaitan & Co to help assess a settlement. Meanwhile, Kalanick stepped in to help craft the company’s response, privately entertaining bizarre conspiracy theories that the incident had been staged by Indian rival Ola, people familiar with the interactions have said.

READ: Indian woman accuses Uber driver of sexual harassment
Eric Alexander, an Uber executive in Asia, somehow got a copy of the victim’s medical report in 2015. Kalanick and Yoo were aware but didn’t take action against him, the people said. Yoo didn’t respond to requests for comment.

The mishandling of the medical document led to a second lawsuit from the woman this year. The Justice Department is now carrying out a criminal bribery probe at Uber, which includes questions about how Alexander obtained the report, two people said. Alexander declined to comment through a spokesperson.

In 2015, Kalanick hired Sullivan, the former chief security officer at Facebook. Sullivan started his career as a federal prosecutor in computer hacking and intellectual property law. He’s been a quiet fixture of Silicon Valley for more than a decade, with stints at PayPal and EBay Inc. before joining Facebook in 2008.

It appears Sullivan was the keeper of some of Uber’s darkest secrets. He oversees a team formerly known as Competitive Intelligence. COIN, as it was referred to internally, was the caretaker of Hell and other opposition research, a sort of corporate spy agency.

A few months after joining Uber, Sullivan shut down Hell, though other data-scraping programs continued. Another Sullivan division was called the Strategic Services Group. The SSG has hired contractors to surveil competitors and conducts extensive vetting on potential hires, two people said.

Last year, Uber hired private investigators to monitor at least one employee, three people said. They watched Liu Zhen, then the head of strategy in China and the cousin of local ride-hailing startup Didi Chuxing, as the companies were negotiating a sale. Liu couldn’t be reached for comment.

Sullivan wasn’t just security chief at Uber. Unknown to the outside world, he also took the title of deputy general counsel, four people said. The designation could allow him to assert attorney-client privilege on his communications with colleagues and make his e-mails more difficult for a prosecutor to subpoena.

Sullivan’s work is largely a mystery to the company’s board. Bloomberg learned the board recently hired a law firm to question security staff and investigate activities under Sullivan’s watch, including COIN. Sullivan declined to comment. COIN now goes by a different but similarly obscure name: Marketplace Analytics.

As Uber became a global powerhouse, the balance between innovation and compliance took on more importance. An Uber attorney asked Kalanick during a company-wide meeting in late 2015 whether employees always needed to follow local ride-hailing laws, according to three people who attended the meeting. Kalanick repeated an old mantra, saying it depended on whether the law was being enforced.

A few hours later, Yoo sent Kalanick an email recommending “a stronger, clearer message of compliance,” according to two people who saw the message. The company needed to adhere to the law no matter what, because Uber would need to demonstrate a culture of legal compliance if it ever had to defend itself in a criminal investigation, she argued in the email.

Kalanick continued to encourage experimentation. In June 2016, Uber changed the way it calculated fares. It told customers it would estimate prices before booking but provided few details.

Using one tool, called Cascade, the company set fares for drivers using a longstanding formula of mileage, time and demand. Another tool called Firehouse let Uber charge passengers a fixed, upfront rate, relying partly on computer-generated assumptions of what people traveling on a particular route would be willing to pay.

Drivers began to notice a discrepancy, and Uber was slow to fully explain what was going on. In the background, employees were using Firehouse to run large-scale experiments offering discounts to some passengers but not to others.

“Lawyers don’t realize that once they let the client cross that line, they are prisoners of each other from that point on”

While Uber’s lawyers eventually looked at the pricing software, many of the early experiments were run without direct supervision. As with Greyball and other programs, attorneys failed to ensure Firehouse was used within the parameters approved in legal review. Some cities require commercial fares to be calculated based on time and distance, and federal law prohibits price discrimination. Uber was sued in New York over pricing inconsistencies in May, and the case is seeking class-action status. The Justice Department has also opened a criminal probe into questions about pricing, two people familiar with the inquiry said.

As the summer of 2016 dragged on, Yoo became more critical of Kalanick, said three former employees. Kalanick wanted to purchase a startup called Otto to accelerate the company’s ambitions in self-driving cars. In the process, Otto co-founder Anthony Levandowski told the company he had files from his former employer, Alphabet, the people said.

Yoo expressed reservations about the deal, although accounts vary on whether those were conveyed to Kalanick. He wanted to move forward anyway. Yoo and her team then determined that Uber should hire cyber-forensics firm Stroz Friedberg in an attempt to wall off any potentially misbegotten information.

Alphabet’s Waymo sued Uber this February, claiming it benefited from stolen trade secrets. Uber’s board wasn’t aware of the Stroz report’s findings or that Levandowski allegedly had Alphabet files before the acquisition, according to testimony from Bill Gurley, a venture capitalist and former board member, as part of the Waymo litigation. The judge in that case referred the matter to U.S. Attorneys. The Justice Department is now looking into Uber’s role as part of a criminal probe, two people said.

As scandal swirled, Kalanick started preaching the virtues of following the law. Uber distributed a video to employees on March 31 in which Kalanick discussed the importance of compliance. A few weeks later, Kalanick spoke about the same topic at an all-hands meeting.

Despite their quarrels and mounting legal pressure, Kalanick told employees in May that he was promoting Yoo to chief legal officer. Kalanick’s true intention was to sideline her from daily decisions overseen by a general counsel, two employees who worked closely with them said. Kalanick wrote in a staff email that he planned to bring in Yoo’s replacement to “lead day to day direction and operation of the legal and regulatory teams.” This would leave Yoo to focus on equal-pay, workforce-diversity and culture initiatives, he wrote.

Before Kalanick could find a new general counsel, he resigned under pressure from investors. Yoo told colleagues last month that she would leave, too, after helping Khosrowshahi find her replacement. He’s currently interviewing candidates. Yoo said she welcomed a break from the constant pressures of the job. “The idea of having dinner without my phone on the table or a day that stays unplugged certainly sounded appealing,” she wrote in an email to her team.

The next legal chief won’t be able to easily shed the weight of Uber’s past. “Lawyers don’t realize that once they let the client cross that line, they are prisoners of each other from that point on,” said Marianne Jennings, professor of legal and ethical studies in business at Arizona State University.

“It’s like chalk. There’s a chalk line: It’s white; it’s bright; you can see it. But once you cross over it a few times, it gets dusted up and spread around. So it’s not clear anymore, and it just keeps moving. By the time you realize what’s happening, if you say anything, you’re complicit. So the questions start coming to you: ‘How did you let this go?’”

Here’s a new mini-crisis for Uber’s new CEO: Transport for London, the taxi regulating service in London, has announced that it would not be renewing Uber’s license to operate because of concerns over the company’s “lack of corporate responsibility” in relation to public safety issues.

The ride-hail company, which launched in London in 2012, is appealing the TfL’s decision and will be allowed to continue to operate until a court makes a decision on that appeal. That process could take months.

London
London is a significant market for Uber: The company says there are 40,000 drivers and 3.5 million riders on its platform in London. And like New York City, it is one of the most regulated markets where Uber operates. Unlike most markets across the U.S., Uber drivers in London and New York City are required to participate in government-administered background checks.

In the meantime, the company has begun to employ an old trick of the trade and is circulating a petition to London Mayor Sadiq Khan asking him to reconsider the ban. It’s a tried-and-true method the ride-hail company has used when facing regulatory issues in the past. The company has often touted mobilizing its customer base to fight for its service as one of the key enablers of its legal status across the U.S.

Already, the petition has garnered more than 500 000 signatures.

In announcing its decision, the TfL cited its concerns over how Uber’s London arm handled reporting criminal offenses that occur during its rides as well as its use of its so-called “greyball” software tool designed to evade local authorities. But Uber London general manager Tom Elvidge said greyball was never used in London “for the purposes cited by the TfL”. (We’ve asked Uber if greyball was used in London in any capacity.)

“Drivers who use Uber are licensed by Transport for London and have been through the same enhanced DBS background checks as black cab drivers,” Elvidge said in a statement. “Our pioneering technology has gone further to enhance safety with every trip tracked and recorded by GPS. We have always followed TfL rules on reporting serious incidents and have a dedicated team who work closely with the Metropolitan Police. As we have already told TfL, an independent review has found that ‘greyball’ has never been used or considered in the U.K. for the purposes cited by TfL.”

While Uber has seen surprising growth in places like Mexico, which is now one of its biggest markets, the company has come up against regulatory issues and strong local competitors in places like Europe and Asia.

Most recently, the company merged its Russia business with local competitor Yandex Taxi in an effort to end the uphill battle for market share. Uber also pulled out of Denmark in March as a result of new taxi laws that required its drivers to put taxi meters in their cars.

“By wanting to ban our app from the capital, Transport for London and the Mayor have caved in to a small number of people who want to restrict consumer choice,” Elvidge said. “If this decision stands, it will put more than 40,000 licensed drivers out of work and deprive Londoners of a convenient and affordable form of transport.”

Quebec, Canada
Uber has said it will cease operations in Quebec next month after the Canadian province passed new regulations that the company opposed. The decision to pull out of Canada’s second most populous province comes as Uber is battling a decision by London officials to revoke its license, dealing a blow to new CEO Dara Khosrowshahi’s effort to rebuild the company’s image.

South Africa
Uber has also experienced a fair number of troubles in South Africa – particularly Johannesburg, where cars have been set alight and drivers attacked.

Regards, Uber has shown growth in the region. Data released this week indicates that:

Johannesburg – Uber had 174,000 active riders from 57 nationalities. Of the trips undertaken, 87% had a wait time of under 10 minutes.

Cape Town – Uber had 112,000 active riders from 60 nationalities. Around 90% of trips had a wait time of under 10 minutes.

Durban – Uber had 31,000 active riders from 47 nationalities, and 88% of riders experienced wait times of under 10 minutes.

Port Elizabeth – There were riders from 21 nationalities, and 67% of trips had a wait time of under 10 minutes.